New Java flaw could hit 1 billion users

It's just a proof of concept for now, but a newly revealed Java vulnerability could have very widespread repercussions.

Security research company Security Explorations has issued a description of a new critical security flaw in Java SE 5 build 1.5.0_22-b03, Java SE 6 build 1.6.0_35-b10, and the latest Java SE 7 build 1.7.0_07-b10. This error is caused by a discrepancy with how the Java virtual machine handles defined data types (a type-safety error) and in doing so violates a fundamental security constraint in the Java runtime, allowing a complete bypass of the Java sandbox.

Security Explorations conducted tests on a fully patched Windows 7 machine, and was able to exploit the bug using the Java plugin in the latest versions of most popular browsers (Internet Explorer, Firefox, Chrome, Safari, and Opera). While the error was only tested on Windows 7 32-bit, being in Java means it is not limited to the Windows platform and will affect anyone with Java installed on their systems, be it Windows, Linux, Mac, or Solaris.

Adam Gowdiak, CEO of Security Explorations, said in a blog post that Oracle has been alerted to the matter and that the company needs to pay attention:

We hope that a news about one billion users of Oracle Java SE
software [3] being vulnerable to yet another security flaw is not
gonna spoil the taste of Larry Ellison's [4] morning...Java.

In an interview with ComputerWorld, Gowdiak explained that this is a new flaw in Java that has persisted even after Oracle's most recent patch, and when exploited would allow an attacker to use a malicious Java applet to install programs, or read and change data on the system with the privileges of the current user.

Gowdiak also stresses that this is a zero-day flaw; however, zero-day means the flaw is used in active exploits on the same day of its findings (giving developers "zero days" to issue a patch), but there is no mention of an active exploit for this bug, and Gowdiak's descriptions of it both on the Security Explorations' blog and in ComputerWorld's interview suggest it is more of a proof-of-concept at its current state.

So far Oracle has been provided with a technical overview of the bug and example code outlining the flaw, but has not yet acted upon it. It unfortunately is not yet known when Oracle might do so. While for the most recent zero-day vulnerability Oracle broke its quarterly update schedule to address the problem, this action was the first such steps taken and it is possible the company may fall back to its quarterly schedule and issue an update in just less than a month on October 16.

While this bug is more widespread than other recently found Java exploits, so far there is no concrete evidence of it being used in any malware exploits; however, it does stress the importance of reducing the number of active runtimes (code execution environments) on your system. If you do not need Java, then you might be best off uninstalling or disabling it. If you are unsure whether or not you need Java, then you might also remove it and then only reinstall it if any of your activities prompt you for a Java runtime requirement.